A while back Microsoft sent some warning emails to the registered Windows Phone 7 developers about the threats their apps might face once published on the Marketplace. The apps on the Marketplace are available for download without any authentication required. What you need to get an app is simply the direct link to the .xap file, something of the form http://apps.marketplace.windowsphone.com/app-guid-here/CurrentBinary.xap, which contains the DLL that can be disassembled very easily with Reflector for example. More info here.
Here’s an excerpt from the email :
It is important to note that because of the leak containment steps Microsoft takes applications obtained outside of Marketplace will not run on consumer retail devices. Modified files would only run on a limited number of “unlocked” phones, such as those that have been registered by Marketplace developers on App Hub….
One powerful tool for protecting your apps and games is code obfuscation, which is a long standing best practice for managed code. Obfuscation is available tools like the Dotfuscator product recently announced for Windows Phone 7 applications. Microsoft has partnered with PreEmptive Solutions to make this tool, as well as a robust application analytics solution, available to Windows Phone developers for free through March 31st, 2011.
Right now, it seems that the only option to protect your app, is to use a code obfuscator, since anyone is allowed to download it from Microsoft servers without any restriction, whether they are using a real Windows Phone 7 or they are sniffing the traffic made by the Zune software (yes, I’m not going to tell you how to do it! you need to figure it out yourself).
For demonstration purposes, here is what Reflector shows when applied on an obfuscated DLL and on a non obfuscated one:
1. Obfuscated
2. Clear
As you can see, on the obfuscated version, Reflector shows either a message saying that the code was obfuscated and it cannot be disassembled, or a bunch of unreadable variable names with a lot of “goto” instructions.
On the other hand, the non obfuscated version is disassembled to (almost) the original source code, only the comments are missing.
Last word, if you are developing anything for Windows Phone 7, do not forget to obfuscate your code before publishing your app on the market.
